Security Testing is performed to find the security flaws in the systems under test. The purpose of Security Testing is to identify the security flaws/loopholes/weaknesses in the system with an intention of protecting the system against the possible attacks. The following are the different security testing attributes/requirements/measures which needs to be taken care, in order to protect the systems from attacks.
Security Testing Attributes: Security Testing is performed on proposed systems to ensure the following security requirements/measure/attributes:
- Confidentiality: System should not disclose any confidential information to unauthorized users/systems (Information should be kept private and secure from unauthorized users/systems)
- Integrity: System should transfer correct and confidential information to intended users according to their privileges and restrictions. (Data should not get modified/deleted/added while getting transferred or before presented to the users)
- Authenticity: System should be able to verify and confirm the identity of users/products/programs and provide access only for the genuine cases. (Examples for authentication are One Time Password over SMS, Security Questions, Biometric Authentication and Token-based Authentication)
- Authorization: Once the authentication passes and access to the system is allowed, Authorization will come into the picture. As part of Authorization, the system should be able to restrict the user activities as per the roles/permissions set for the user. (i.e. A User or a Group may not have permission to perform few tasks in the system. Authorization should only allow the users having privileges/permissions for performing the activities)
- Availability: System should make the information available to the authorized users when needed. (Attacks like Denial of Service may target the system to shut down and not available for the authorized users)
- Non-repudiation: System should be able to take measures to prevent the recipient from denying of seeing or signing a contract or document / receiving a transaction, which is sent to him electronically using the system by a sender. Also, the measures need to be taken by the system to prevent the sender from denying of sending a document/initiating transaction to the receiver. (Non-repudiation is an assurance provided by the system that someone cannot deny something).
- Resilience: System should be able to bear the attacks performed by the attackers. (Implemented using encryption, two-layer authentication or RSA token system etc.)
The following image depicts different attributes of Security Testing:
Conclusion: As part of Security Testing, the testing team should verify whether the system under test has taken measures in protecting the above-specified attributes of the system.
Please leave your questions/comments/feedback below.
Happy Learning 🙂
Arun Motoori (www.QAFox.com)